SuSEfirewall2
 

Ok, so I've tried everything I can think of to make this work - no luck

All I want to do is pass port 25 traffic coming from the internet through our firewall (private address) over to the DMZ (private address) where a postfix box resides, then forward off to another DMZ (private address) or back to the firewall where it will get routed to an internal server...

So therefore, the flow would be

Internet ---> firewall ----> My DMZ postfix 1 -----> firewall (postfix)
|
| (or based on destination)
|
------> Other DMZ postfix 2


firewall = int 172.23.1.76
ext 216.200.200.200
dmz 10.10.100.2


My DMZ = eth0 10.10.100.200
eth1 10.10.10.200
eth2 172.23.1.199

Other DMZ = eth0 10.10.100.150
eth1 10.10.10.20

I know it sound like a riggamarole, but I have my reasons....

Someone must have done this - I'll even settle for traffic passing from f/w to my DMZ as a starting point ????

Send me a working config if you have one - thx in advance...

Help and thanks in advance !?!

Send me a working config if you have one
Add log target rules for any "decision", check the logs and adjust your rules accordingly. Then post the output and the script you're using.

new (related ?) problem
 

Alrighty... here's the deal...

I followed one document that gave me a little insight into what I needed to try and that worked - sort of.

The new problem of the day is now:

When a connection comes in from the internet on port 25, it is reverse-masq forwarded to the DMZ, however it only allows one connection at a time. The other connections that come through go into a SYN_SENT state and then eventually a TIME_WAIT state and then either time out or as each connection is cleared the next one connects. For SMTP traffic this means that typically the connection is dropped and then retried later. For example, I sent two simultaneous emails from outside to myself from different sources - one went through (slowly I might add), the other one took almost 15 minutes to retry but finally made it through.

While one connection is made the others sit and wait or are dropped (connection failure - not dropped by the firewall)

Any ideas ? We process about 1000 emails a day....

Cd

You may find the thread that I started to be of some help.

FW_FORWARD_MASQ="194.217.242.164,192.168.0.2,tcp,25 "

works for me, from Demon Internet.

194.217.242.164 is where Demon send out smtp,

192.168.0.2. is my machine with the local smtp server

But see the caveats in my thread.

HTH

Nick.

My boneheadedness
 

I got it to work....

My routing was apparently the problem....

Things would apparently connect or at least pass thru, but it would never connect properly (SYN_RCVD) or (TIME_WAIT)...I read another article with similarities that stated routing was his problem and bingo !

What I will do, once I have a good solid running config, is post it here with my list of "Gotcha's" for all the other poor souls living on twinkies and coffee to make this work...

To add more complexities into the mix, now I'm working on Squid in conjunction to all this !!!

I need a life...

Thanks for your responses

Cd